Prerequisites:
In London release the Kafka ports are exposed through ingress.
Istio and Istio-Ingress is used
- Helm settings are configured to enable the Ingress exposure of Kafka Interfaces by:
global values (global.ingress.enable_all)
global: ingress: enabled: true # enable all component's Ingress interfaces enable_all: trueor local setting in onap-strimzi (ingress.enabled)
ingress: enabled: true service: - baseaddr: "kafka-bootstrap-api" name: "onap-strimzi-kafka-external-bootstrap" port: 9094 exposedPort: 9010 exposedProtocol: TLS
After the deployment the interfaces are exposed through ingress and can be accessed via the following URLs:
kafka-bootstrap-api.simpledemo.onap.org kafka-0-api.simpledemo.onap.org kafka-1-api.simpledemo.onap.org kafka-2-api.simpledemo.onap.org
Test preparation
Add Kafka User for external Access
- Create kafka-user.yaml
tls-user.yaml
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
labels:
argocd.argoproj.io/instance: external-strimzi-kafka-user
strimzi.io/cluster: onap-strimzi
name: external-strimzi-kafka-user
namespace: onap
spec:
authentication:
type: scram-sha-512
authorization:
acls:
- resource:
type: topic
name: unauthenticated.VES_PERF3GPP_OUTPUT
patternType: literal
operation: Write
host: "*"
- resource:
type: topic
name: unauthenticated.VES_PERF3GPP_OUTPUT
patternType: literal
operation: Describe
host: "*"
- resource:
type: topic
name: unauthenticated.VES_NOTIFICATION_OUTPUT
patternType: literal
operation: Write
host: "*"
- resource:
type: topic
name: unauthenticated.VES_NOTIFICATION_OUTPUT
patternType: literal
operation: Describe
host: "*"
- resource:
type: topic
name: unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT
patternType: literal
operation: Write
host: "*"
- resource:
type: topic
name: unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT
patternType: literal
operation: Describe
host: "*"
- resource:
type: topic
name: unauthenticated.VES_MEASUREMENT_OUTPUT
patternType: literal
operation: Write
host: "*"
- resource:
type: topic
name: unauthenticated.VES_MEASUREMENT_OUTPUT
patternType: literal
operation: Describe
host: "*"
type: simple
- Apply kafka-user.yaml
Create user
kubectl apply -f kafka-user.yaml
- List kafka users
Check/List new user
root@control01-daily-master-sm:/# kubectl -n onap get kafkauser NAME CLUSTER AUTHENTICATION AUTHORIZATION READY external-strimzi-kafka-user onap-strimzi scram-sha-512 simple True onap-aai-sdc-list-user onap-strimzi scram-sha-512 simple True onap-cds-sdc-list-user onap-strimzi scram-sha-512 simple True onap-cps-kafka-user onap-strimzi scram-sha-512 simple True onap-dcae-hv-ves-kafka-user onap-strimzi scram-sha-512 simple True onap-mc-k8s-sdc-list-kafka-user onap-strimzi scram-sha-512 simple True onap-policy-kafka-user onap-strimzi scram-sha-512 simple True onap-sdc-be-kafka-user onap-strimzi scram-sha-512 simple True strimzi-kafka-admin onap-strimzi scram-sha-512 simple True
- List strimzi secrets
List user secrets
oot@control01-daily-master-sm:/# kubectl -n onap get secret|grep strimzi external-strimzi-kafka-user Opaque 2 2m7s ...
- Get the user password
For each KafkaUser resource with scram-sha-512 auth, there will be a corresponding secret:
Get the user secret
kubectl get secret external-strimzi-kafka-user -o jsonpath='{.data.password}' -n onap | base64 --decode
Ujl...lSD
Test the external client access to Kafka
- Add hostnames to DNS (or /etc/hosts) by using the IP Address of the istio-ingressgateway LB
sudo vi /etc/hosts ---- 10.32.240.14 kafka-bootstrap-api.simpledemo.onap.org 10.32.240.14 kafka-api.simpledemo.onap.org
- Install KafkaCat
sudo apt install kafkacat
- Get the Metadata (use an existing Kafka User, here "external-strimzi-kafka-user"):
- Get Topic Data (use an existing Kafka User, here "external-strimzi-kafka-user"):